Cu Hnh VPN Site to site: Router

Cisco 2811 ASA 5510

SITE A ROUTER CISCO 2811:

Bc 0: Quoay PPPoE Trn router cisco
Bc 1: To Internet Key Exchange (IKE) key policy :
Router(config)#crypto isakmp policy 10
Router(config-isakmp)#encryption 3des

Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#group 2

Bc 2: To shared key s dng cho kt ni VPN

Router(config)#crypto isakmp key Cisco123 address 210.245.101.100 (IP ca ASA

site B)
Bc3: Quy nh lifetime
Router(config)#crypto ipsec security-association lifetime seconds 86400

Bc4: Cu hnh ACL dy IP c th VPN

Lu : i vi trng hp Va quoay PPPoE va chy VPN site to site th trong phn
NAT overload lm nh sau:
Router(config)#ip nat inside source route-map nonat interface Dialer0 overload
Router(config)#route-map nonat petmit 10
Router(config-route-map)#match ip address 100
Router(config)#access-list 100 deny ip 192.168.6.0 0.0.0.255 10.16.3.0 0.0.0.255
Router(config)#access-list 100 permit ip 192.168.6.0 0.0.0.255 any
Router(config)#access-list 101 permit ip 192.168.6.0 0.0.0.255 10.16.3.0 0.0.0.255
=> Th mng bn trong mi va vo internet c v va VPN c.

Bc 5: nh ngha transformations set ci m s c s dng cho

VPN connection ny:
Router(config)#crypto ipsec transform-set SET-VPN esp-3des esp-sha-hmac

Bc 6: To cypto-map cho cc transform, setname

Router(config)#crypto map MAP-VPN 1 ipsec-isakmp
Router(config-crypto-map)#set peer 210.245.101.100 (IP ca ASA site B)

Router(config-crypto-map)# set transform-set SET-VPN ( Setname bc 5)

Router(config-crypto-map)#match address 101 (101 : acl-number bc 4 )

Bc7: Gn vo interface
Router(config)#interface dialer 0
Router(config-if)#crypto map MAP-VPN
SITE A ASA 5510:
Bc 1: to Connection Profiles:
Login vo ASDM v chn Menu Startup Wizards ri sau chn IPsec VPN
Wizard

Ti bc 1 chn:
+ Tick vo Site-to-Site
+ VPN Tunnel Interface chn interface: outside (WAN IP)
+ V tick chn Enable. v bm Next

- bc 2:
+ Peer IP Address in IP WAN ca router 2811 (Site A).
+ Pre-shared key: g Cisco123 (ging nh Pre-shared key router cisco 2811 site A) v
nhn Next.

 bc 2: chn IKE Policy m ha v Authentication, lu phi cng loi vi Router

Cisco 2811. y ta mc nh do bc 1 site A ta chn 3des authen v Pre-shared
key l : pre-share

 bc 3 chn thut ton m ha v authen cho Tunnel lu phi ph hp vi Cisco

2811 site A. y ta chn 3DES v SHA do bc 5 site A ta chn esp-3des esp-shahmac

- Ti bc 5: tng ng vi bc 4 site A set ACL c th VPN :

+ Local g 10.16.3.0/24
+ Remote 192.168.6.0/24

+ V chn interface translation l inside. Sau chn Next

V bm Finish hon tt vic to kt ni(Connection Profile).

 Sau khi to kt ni xong ti hnh Enable interface for IPsec access.

+ Ti Access Interface click vo interface outside v click v check box Allow access
tng ng v nhn Save

Bc 2: To Access List:
Sau khi to Connection Profile xong ta tin hnh set access-list nonat cho kt ni VPN.
Lu mc nh nonat s disable, bn cn phi enable n ln trc sau mi c th
tin hnh to access-list cho nonat.
+ X du cng ti Certificate to Connection Profile v chn ACL Manager. ti
nonat click chut phi chn Add ACE

 Permit cho
class mng 192.168.0.0/24 v 16.3.0/24 .

Sau khi to xong ta s c nh bn di.

 Tng t nh vy ta kim tra permit cho outside v inside cha( mc nh

outside_cryptomap c t ng to khi khi to Connection Profile).

Kt qu: 2 site ping thy nhau: